Privacy Policy – NRN Remit

The purpose of these Regulations is to ensure the appropriateness of information management and protect the rights and interests of users by stipulating matters necessary for management of information about the users of NRN Remit's money receiving service.

The following terms used in these Regulations shall have the following meanings defined in each item below:

"User Information" shall mean information about the users of NRN Remit's money receiving service and website users, including not only information about the facts such as name, gender, date of birth, address, age, occupation, but also information representing judgment and evaluation on attributes such as body, property and occupation, as well as transaction history of our money receiving service and balance account information of an individual person or its agent.

"Personal Information" shall mean information about existing individual persons out of User Information that can identify a certain individual by name, date of birth or other description, etc., contained in such information (including information that can easily be checked with other information and identify a certain individual by such information).

"User Information Controller" shall mean the Manager/Head of Legal Department who specifies the parameters to disclose the information.

"User Information Manager" shall mean the Manager/Head of Compliance Department responsible to collect, store, manage and disburse the information as required.

"Principal" shall mean a certain individual who can be identified by Personal Information.

"User Information Officers" shall mean the Officers appointed by the User Information Manager from every department who shall be given required training about the management, storage and disclosure of information by the Compliance Department.

Unless otherwise specified, any terms other than the terms listed above shall follow the definitions provided by the Individual Privacy Act 2018.

The department responsible for User Information management shall be the Compliance Department. The Executive Manager/Head of the Legal Department shall be the overall controller of User Information management (hereinafter called the "Information Overall Controller").

The controller of audit on the management of User Information (hereinafter called the "Audit Controller") shall be the Head of Compliance Department.

User Information shall be acquired in an appropriate and fair manner to the extent required for accomplishing the intended use of the information by limiting such intended use as practically as possible.

4.1 Notification and Publication of Intended Use in Acquiring Personal Information

If Personal Information out of User Information is acquired, its intended use shall be immediately notified to the Principal/Agent or published, except the case where such intended use is published in advance.

Notwithstanding the above provision, if Personal Information contained in a contract or any other document is acquired in connection with execution of such a contract with the Principal, its intended use shall be clearly notified to the Principal in advance.

If the intended use is changed, such changed intended use shall be notified to the Principal or published.

The provisions set forth in the above three clauses shall not apply to any of the following cases:

• if the notification to the Principal or publication of the intended use may do harm to the rights or fair profits of NRN Remit;
• in the case where it is required to assist any government agency or local government in performing its due process required by law, if the notification to the Principal or publication of the intended use may interfere with the performance of such due process of law.

The Information Manager shall appoint a person in charge of acquisition and input of User Information depending on business needs from the concerned department as 'Privacy Champions' and any persons other than the person in charge shall not acquire or input User Information.

The Information Overall Controller shall set a limit on information to be acquired and input depending on business needs, and the person in charge of acquisition and input of User Information shall not acquire or input any information other than such information.

If the person in charge of acquisition and input of User Information performs any work other than the work specified by the Information Overall Controller, the person in charge shall notify the Information Overall Controller of such work in advance for approval.

The Information Manager shall formulate procedures to check and confirm the number and content, etc., of User Information used and processed, and shall cause the person in charge to implement the procedures.

The Information Manager shall review the records checked and confirmed in accordance with the above procedures, and shall store such records in a specified place for a specified period of time, as necessary.

The Information Manager shall check such records as stored in accordance with the above clause regularly.

If User Information is taken out from the specified storage place at a stage of use and processing of information, the person in charge of use and processing of the information shall obtain the approval of the Information Overall Controller by submitting a written request indicating the following items:

• Name of the person in charge related to the taking-out
• Details of User Information intended for taking-out
• Purpose of taking-out
• Devices or media that contain a record of the information to be taken out
• Period during which the information is taken out

If any paper or magnetic media, etc., that contain User Information are erased or disposed of, it shall be carried out in an appropriate manner by means of shredding, incineration, melting, magnetic erasure, or destruction in accordance with the instructions of the Information Manager depending on the content of the relevant information. If erasure or disposal work is assigned to any party other than NRN Remit, a certificate of erasure or disposal shall be obtained, and the fact of erasure or disposal shall be checked as necessary.

Any Personal Information that contains any of the following items shall not be acquired, used, or provided:

• Matters concerning thought, belief, and religion
• Race, ethnicity, place of origin, registered domicile (excluding information about present address), physical and mental disability, criminal history, and any other matters that cause social discrimination
• Matters concerning the right to organize, bargain collectively, and any other work in groups of working persons
• Matters concerning participation in demonstration and exercise of the right of petition and any other political rights
• Matters concerning health and medical care

Unless otherwise specified by law and these Regulations, User Information including Personal Information shall not be provided to any third party.

If any employee who handles User Information deems it necessary to provide User Information to any third party, such an employee shall give notice to the Information Overall Controller for approval, whether it contains Personal Information or not.

Unless otherwise permitted by law, if Personal Information is included in the information to be provided with respect to such notice as set forth in the previous clause, the Information Overall Controller shall give approval after obtaining the informed consent from the Principal on the following items:

• Name of a third party to which User Information is provided
• Intended use by the third party who receives User Information
• Content of the information to be provided to the third party

For employees' handling of User Information, the department responsible for User Information management (Compliance Department) shall set up an appropriate internal management system by appointing the Human Resource Manager as 'Privacy Officer' to ensure safety management of the information, and shall exercise necessary and appropriate supervision over the employees.

"Necessary and appropriate supervision" as set forth in the previous clause shall be exercised by the following system, etc.:

• To enter into an agreement with employees at the time of recruitment which obliges the employees not to disclose User Information obtained in connection with NRN Remit's business to any third party or use it for any purposes other than the intended purpose, both while in office and after retirement.
• To define the role and responsibility of employees, familiarize officers and employees with, and provide education and training to officers and employees concerning their duties of safety management through development of regulations for appropriate handling of User Information.
• To maintain a system to check the compliance status on the matters specified in the internal safety management measures and conduct inspection and audit on the protection of User Information by employees in order to prevent unauthorized taking-out of User Information.

The Information Overall Controller shall conduct an investigation on the following items to check the actual situation:

• Actions to preserve evidence
• Confirmation of the fact of the leak, etc.
• Identification of User Information involved in the leak, etc. (affected person, attributes, number of items, etc.)
• Investigation of the route and cause of the leak, etc.

In the event of a data leak accident, the Information Overall Controller shall make efforts to prevent damage from expanding by implementing the following measures:

• Collection of leaked information, etc.
• Development and implementation of preventive measures for cases where highly sensitive information such as account numbers or passwords is leaked and there is a high risk of secondary damage.

If all or any of the handling of User Information is outsourced to any third party, the person in charge of handling such User Information shall give prior written notice to the Information Overall Controller for approval.

The Information Manager shall take the following measures, and shall make an application to the department responsible for User Information management for approval of the Information Overall Controller before entering into a contract with a subcontractor:

• To conduct an interview with a responsible person of the subcontractor and conduct an on-site review at the information processing facility of the subcontractor to ensure that the level of protection and security management of User Information is the same or higher than that of NRN Remit.
• To obtain financial information about the subcontractor to ensure its financial safety.
• To set forth necessary provisions in a consignment contract in accordance with the Act on Settlement of Funds, Act on the Protection of Personal Information, and any other applicable laws and regulations, as well as the policies and guidelines of the authorities concerned, and also to set out necessary provisions concerning confidentiality and safety operation in such a consignment contract to ensure safety.

During the term of the consignment contract, the person in charge shall check whether the subcontractor complies with the contract with NRN Remit. In the event that any violation of the contract is found, the person in charge shall give notice to the Information Overall Controller to that effect.

The Information Overall Controller shall keep documents including a consignment contract, audit reports, and notice letters prepared under this Article (including electromagnetic records) for Five (5) years after the termination of the contract.

If the department responsible for User Information management is requested to make a disclosure of Personal Information (limited to information related to the Principal) by the Principal, it shall disclose Personal Information to the Principal without delay in accordance with the method permitted by the Principal, except in the following cases:

• iii. if it may do harm to the life, body, property, and any other rights and interests of the Principal or any third party;
• iv. if it may significantly interfere with the fair practice of business of NRN Remit;
• v. if it may result in the violation of the applicable laws.

If the department responsible for User Information management cannot disclose Personal Information, it shall give notice to the Principal without delay and explain the reason by indicating grounds for such decision and the facts constituting those grounds.

If the department responsible for User Information management is requested to correct, add, or delete Personal Information (hereinafter collectively referred to as "Correction") based on the fact that such information is inaccurate, NRN Remit shall confirm such inaccuracy, and if necessary, shall correct, add, or delete the Personal Information accordingly. NRN Remit shall give notice to the Principal about the outcome without delay.

In the event that Personal Information is corrected and disclosed after the correction, NRN Remit shall disclose such corrections to the Principal without delay in the manner requested by the Principal.

The department responsible for User Information management shall set out the following items with respect to the request for disclosure as set forth in Article 16:

• An application to be submitted when requesting disclosure;
• Method of identification of a person who requests disclosure;
• Method of response to the request for disclosure, etc.